<html>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<head>
<title>Section 11.3.&nbsp; File Manipulation</title>
<link rel="STYLESHEET" type="text/css" href="images/style.css">
<link rel="STYLESHEET" type="text/css" href="images/docsafari.css">
</head>
<body>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-11-SECT-2.html><img src="images/prev.gif" width="60" height="17" border="0" align="absmiddle" alt="Previous Page"></a>
<td align="right"><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-11-SECT-4.html><img src="images/next.gif" width="60" height="17" border="0" align="absmiddle" alt="Next Page"></a>
</div></td></tr></table>
<br><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td valign="top"><a name="learnphpmysql-CHP-11-SECT-3"></a>
<h3 id="title-IDAXYD1L" class="docSection1Title">11.3. File Manipulation</h3>
<a name="IDX-CHP-11-0552"></a> 

<p class="docText">There may be times when you don't want to store information in a database and may want to work directly with a file instead. An example is a logfile that tracks when your application can't connect to the database. It'd be impossible to keep this information in the database, since it's not available at exactly the time you'd need to write to it. PHP provides functions for file manipulation<a name="IDX-CHP-11-0553"></a> 
 that can perform the following:</p>
<ul><li><p class="docList">Check the existence of a file</p></li><li><p class="docList">Create a file</p></li><li><p class="docList">Append to a file</p></LI><li><p class="docList">Rename a file</p></LI><LI><p class="docList">Delete a file</p></LI></ul>
<p class="docText">We've already discussed the <tt>include</tt> and <tt>require</tt> functions for pulling information directly into a PHP script. At this junction, we'll focus on working with file content.</p>
<p><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><TR><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><TD width="60" valign="top"><img src="images/warning_yellow.jpg" width="51" height="36" alt=""></td><td valign="top">
<p class="docText">Since working directly with files from your PHP code can create security risks, it's a good idea to find solutions to problems that don't use files directly if possible; for example, storing information in a database instead of file. You must be very careful to not allow misuse of your PHP programs to either read or destroy the contents of important files either accidentally or as part of an attack.</P>
</td></tr></table></td></tr></table></P><BR>
<a name="learnphpmysql-CHP-11-SECT-3.1"></a>
<h4 id="title-IDAK0D1L" class="docSection2Title">11.3.1. Functions and Precautions</h4>
<a name="IDX-CHP-11-0554"></a> 
<a name="IDX-CHP-11-0555"></a> 
<a name="IDX-CHP-11-0556"></a> 
<a name="IDX-CHP-11-0557"></a> 

<p class="docText">To check for the existence of a file, use the function <tt>file_exists</tt>,<a name="IDX-CHP-11-0558"></a> 
 which takes the name of the file to check for its parameter, as shown in <a class="docLink" href="#learnphpmysql-CHP-11-EX-20">Example 11-20</a>. If the file exists, it returns <tt>trUE</tt>; otherwise, it returns <tt>FALSE</tt>.</p>
<a name="learnphpmysql-CHP-11-EX-20"></a><H5 id="title-IDAT1D1L" class="docExampleTitle">Example 11-20. The file_exists.php script checks to see if the file is there</h5><P><table cellspacing="0" width="90%" border="1" cellpadding="5"><tr><TD>

<pre>
&lt;?php
  $file_name="file_exists.php";

  if(file_exists($file_name)) {
    echo ("$file_name does exist.");
  }
  else {
    echo ("$file_name does not exist.");
  }
?&gt;
</pre><BR>

</TD></tr></table></p>
<p class="docText">As you would expect, the file does exist:</p>
<pre>
The file exists.php does exist.
</pre><br>

<p class="docText">PHP provides several functions to tell you about various file attributes. PHP has the ability to read data from, and write data to, files on your system. However, it doesn't just stop there. It comes with a full-featured file-and-directory-manipulation API that allows you to:</p>
<ul><li><p class="docList">View and modify file attributes</p></li><li><p class="docList">Read and list directory contents</p></li><li><p class="docList">Alter file permissions</p></LI><li><p class="docList">Retrieve file contents into a variety of native data structures</p></LI><LI><p class="docList">Search for files based on specific patterns</p></LI></ul>
<p class="docText">All of this file manipulation through the API is robust and flexible. These characteristics are why we're writing this book. PHP has a lot of great commands, including all the file manipulation ones.</p>
<a name="learnphpmysql-CHP-11-SECT-3.1.1"></a>
<h5 id="title-IDAX2D1L" class="docSection3Title">11.3.1.1. Permissions</H5>
<p class="docText">Now that you know a file exists, you may think you're done, but you're not. Just because it's there doesn't mean you can read, write, or execute the file. To check for these attributes, use <tt>is_readable</tt><a name="IDX-CHP-11-0559"></a> 
 to check for read access, <tt>is_writable</tt><a name="IDX-CHP-11-0560"></a> 
 to check for write access, and <tt>is_executable</tt><a name="IDX-CHP-11-0561"></a> 
 to check for the ability to execute the file. Each function takes a filename as its parameter. Unless you know the file is in the same directory as your script, you <span class="docEmphasis">must</span> specify a full path to the file in the filename. You can use concatenation to put the path and filename together, as in:</p>
<pre>
$file_name = $path_to_file . $file_name_only;
</pre><br>

<p class="docText">Let's go ahead and expand the last example to also check for these details. <a class="docLink" href="#learnphpmysql-CHP-11-EX-21">Example 11-21</a> assumes the script is saved as <span class="docEmphasis">permissions.php</span>.</P>
<a name="learnphpmysql-CHP-11-EX-21"></a><h5 id="title-IDAA4D1L" class="docExampleTitle">Example 11-21. Checking the permissions of a file</h5><P><table cellspacing="0" width="90%" border="1" cellpadding="5"><tr><td>

<pre>
&lt;?php
  $file_name="permissions.php";

  if(is_readable($file_name)) {
    echo ("The file $file_name is readable.&lt;br&gt;");
  }
  else {
    echo ("The file $file_name is not readable.&lt;br&gt;");
  }
  if(is_writeable($file_name)) {
    echo ("The file $file_name is writeable.&lt;br&gt;");
  }
  else {
    echo ("The file $file_name is not writeable.&lt;br&gt;");
  }
  if(is_executable($file_name)) {
    echo ("The file $file_name is executable.&lt;br&gt;");
  }
  else {
    echo ("The file $file_name is not executable.&lt;br&gt;");
  }
?&gt;
</pre><br>

</td></TR></table></P>
<p class="docText">The code tells you the many details regarding permissions on the file in <a class="docLink" href="#learnphpmysql-CHP-11-FIG-17">Figure 11-17</a>.</p>
<a name="learnphpmysql-CHP-11-FIG-17"></a><p><center>
<h5 class="docFigureTitle">Figure 11-17. This file is readable but not executable or writable to PHP</h5>
<img border="0" alt="" id="195131084204" width="549" height="159" SRC="images/learnphpmysql_1117.jpg">
</center></P><br>

<a name="learnphpmysql-CHP-11-SECT-3.1.2"></a>
<H5 id="title-IDA44D1L" class="docSection3Title">11.3.1.2. Creating files</h5>
<a name="IDX-CHP-11-0562"></a> 
<a name="IDX-CHP-11-0563"></a> 
<a name="IDX-CHP-11-0564"></a> 

<p class="docText">Files can be created with the <tt>touch</tt><a name="IDX-CHP-11-0565"></a> 
 command. This command takes a filename as its parameter. If a file doesn't already exist, it's created as an empty zero length file. If the file does exist, only its modification time is updated.</P>

<a name="learnphpmysql-CHP-11-SECT-3.1.3"></a>
<H5 id="title-IDA15D1L" class="docSection3Title">11.3.1.3. Deleting files</H5>
<a name="IDX-CHP-11-0566"></a> 
<a name="IDX-CHP-11-0567"></a> 
<a name="IDX-CHP-11-0568"></a> 
<a name="IDX-CHP-11-0569"></a> 

<p class="docText">Files can be deleted with the <tt>unlink</tt><a name="IDX-CHP-11-0570"></a> 
 command. This command, shown in <a class="docLink" href="#learnphpmysql-CHP-11-EX-22">Example 11-22</a>, takes a filename as its parameter. If a file exists and PHP has adequate permission, it'll delete the file. You must be very careful when deleting<a name="IDX-CHP-11-0571"></a> 
 files not to accidentally delete a file that you still want. If you're using a filename that is derived from user input, you must also be very careful that the filename hasn't been crafted by the user to delete a different file than you intended. <a class="docLink" href="#learnphpmysql-CHP-11-EX-22">Example 11-22</a> shows how to use <tt>file_exists, touch</tt>, and <tt>unlink</tt>.</p>
<p><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="images/warning_yellow.jpg" width="51" height="36" alt=""></td><td valign="top">
<p class="docText">Always be careful when deleting files, as you won't be able to retrieve your data!</p>
</td></tr></table></td></tr></table></p><BR>
<a name="learnphpmysql-CHP-11-EX-22"></a><h5 id="title-IDAZJE1L" class="docExampleTitle">Example 11-22. Using file_exists, touch, and unlink together</h5><P><table cellspacing="0" width="90%" border="1" cellpadding="5"><TR><td>

<pre>
&lt;?php
  $file_name="test.txt";

  if(file_exists($file_name)) {
    echo ("$file_name does exist.&lt;br&gt;");
  }
  else {
    echo ("The file $file_name does not exist.&lt;br&gt;");
    touch($file_name);
  }
  if(file_exists($file_name)) {
    echo ("The file $file_name does exist.&lt;br&gt;");
    unlink($file_name);
  }
  else {
    echo ("The file $file_name does not exist.&lt;br&gt;");
  }
  if(file_exists($file_name)) {
    echo ("The file $file_name does exist.&lt;br&gt;");
  }
  else {
    echo ("The file $file_name does not exist.&lt;br&gt;");
  }
?&gt;
</pre><BR>

</td></tr></table></p>
<p class="docText">The output looks like <a class="docLink" href="#learnphpmysql-CHP-11-FIG-18">Figure 11-18</a>.</P>
<a name="learnphpmysql-CHP-11-FIG-18"></a><p><center>
<h5 class="docFigureTitle">Figure 11-18. The test.txt file is created and removed</H5>
<img border="0" alt="" id="195131084204" width="466" height="135" SRC="images/learnphpmysql_1118.jpg">
</center></p><br>

<a name="learnphpmysql-CHP-11-SECT-3.1.4"></a>
<H5 id="title-IDAXKE1L" class="docSection3Title">11.3.1.4. Moving files</h5>
<p class="docText">To move a file, you should use the <tt>rename</tt> function. It renames files or directories and takes the old name and the new name as its parameters. As of PHP 5.0, <tt>rename</tt> can also be used with some URL wrappers, and context support has been added. <a class="docLink" href="#learnphpmysql-CHP-11-EX-23">Example 11-23</a> assumes that you've recreated the <span class="docEmphasis">test.txt</span> file.</p>
<a name="learnphpmysql-CHP-11-EX-23"></a><h5 id="title-IDALLE1L" class="docExampleTitle">Example 11-23. Renaming a file</h5><P><table cellspacing="0" width="90%" border="1" cellpadding="5"><TR><td>

<pre>
&lt;?php
  $file_name="test.txt";
  $new_file_name="production.txt";
  $status=rename($file_name,$new_file_name);
  if ($status) {
    echo ("Renamed file.");
  }
?&gt;
</pre><br>

</td></tr></table></P>
<p class="docText">The file has been renamed, as is demonstrated in the report from <a class="docLink" href="#learnphpmysql-CHP-11-EX-23">Example 11-23</a>.</p>
<pre>
Renamed file.
</pre><BR>



<a name="learnphpmysql-CHP-11-SECT-3.2"></a>
<h4 id="title-IDAAME1L" class="docSection2Title">11.3.2. URL Wrappers</H4>
<p class="docText">Two URL protocols that PHP has built in for use with the filesystem functions include <tt>fopen</tt> and <tt>copy</tt>. In addition to these two wrappers, as of PHP 4.3.0, you can write your own wrappers using a PHP script and <tt>stream_wrapper_register</tt>. The default wrapper is <span class="docEmphasis">file://</span>, used with PHP, and it is the local filesystem. If you specify a relative path, which is one that doesn't begin with <tt>/, \, \\</tt>, or a Windows drive letter, such as <span class="docEmphasis">C://</span>, the path provided applies against the current working directory. Usually this is where the script resides, unless of course, it's been changed.</P>
<p class="docText">With some functions, such as <tt>fopen</tt> and <tt>file_get_contents, include_path</tt> can be used to search for relative paths as well. <a class="docLink" href="#learnphpmysql-CHP-11-TABLE-3">Table 11-3</a> provides a URL wrapper summary for reference.</P>
<a name="learnphpmysql-CHP-11-TABLE-3"></a><p><table cellspacing="0" FRAME="hsides" RULES="all" cellpadding="4" width="100%"><caption><h5 class="docTableTitle">Table 11-3. URL wrappers</h5></caption><colgroup span="2"><col><col></colgroup><thead><tr><th class="thead" scope="col" align="left"><p class="docText">Attribute</p></th><th class="thead" scope="col" align="left"><p class="docText">Supported</p></th></tr></thead><tr><td class="docTableCell" align="left"><p class="docText">Restricted by <tt>allow_url_fopen</tt></p></td><td class="docTableCell" align="left"><p class="docText">No</p></td></TR><tr><td class="docTableCell" align="left"><p class="docText">Allows reading</P></TD><td class="docTableCell" align="left"><p class="docText">Yes</P></td></tr><tr><TD class="docTableCell" align="left"><p class="docText">Allows simultaneous reading and writing</p></td><TD class="docTableCell" align="left"><p class="docText">Yes</p></td></TR><tr><td class="docTableCell" align="left"><p class="docText">Allows writing</p></td><TD class="docTableCell" align="left"><p class="docText">Yes</P></td></tr><tr><td class="docTableCell" align="left"><p class="docText">Allows appending</P></td><TD class="docTableCell" align="left"><p class="docText">Yes</p></TD></TR><TR><td class="docTableCell" align="left"><p class="docText">Supports <tt>stat</tt></p></td><td class="docTableCell" align="left"><p class="docText">Yes</p></td></tr><tr><td class="docTableCell" align="left"><p class="docText">Supports <tt>rename</tt></p></td><td class="docTableCell" align="left"><p class="docText">Yes</p></td></TR><tr><td class="docTableCell" align="left"><p class="docText">Supports <tt>mkdir</tt></P></TD><td class="docTableCell" align="left"><p class="docText">Yes</P></td></tr><tr><TD class="docTableCell" align="left"><p class="docText">Supports <tt>rmdir</tt></p></td><TD class="docTableCell" align="left"><p class="docText">Yes</p></td></TR></table></p><br>

<a name="learnphpmysql-CHP-11-SECT-3.3"></a>
<h4 id="title-IDABSE1L" class="docSection2Title">11.3.3. Uploading Files</h4>
<a name="IDX-CHP-11-0574"></a> 
<a name="IDX-CHP-11-0575"></a> 

<p class="docText">It's a fairly common requirement for a PHP-based site to allow file uploads. For example, on a blog site, a user may want to upload an image to go with her post. We'll walk through the steps to upload a file, because you'll be designing a blog in <a class="docLink" href="learnphpmysql-CHP-16.html#learnphpmysql-CHP-16">Chapter 16</a>. PHP allows you to do this with the help of forms input.</P>
<p class="docText">When you use the file upload form field, the client's browser pulls up a file selection dialog, so you don't have to worry about doing that. The code to include in the file upload field is <tt>&lt;input type="file" name="file"&gt;</tt>. You must also add <tt>enctype="multipart/form"</tt> to the <tt>form</tt> tag. This allows a file to be sent with the form submission. Finally, because of the increased size of the form submission, you must use the <tt>POST</tt> type submission instead of <tt>GET</tt>.</P>
<p><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><td><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><TD width="60" valign="top"><img src="images/tip_yellow.jpg" width="50" height="54" alt=""></td><TD valign="top">
<p class="docText">The <span class="docEmphasis">php.ini</span> configuration file has a setting that globally limits the size of file upload, called <tt>upload_max_filesize</tt>. The default value is 2 MB. This helps prevent denial-of-service attacks in which an attacker uploads many huge files to slow your connection or fill up your server's storage.</p>
</TD></TR></table></TD></tr></table></p><br>
<p class="docText">Once the user selects a file from the HTML form produced by <a class="docLink" href="#learnphpmysql-CHP-11-EX-24">Example 11-24</a> and clicks Submit, Apache does some of the hard work by handling the upload and placing it into a temporary directory with a temporary filename. It's now up to you to validate the upload and move it if it passes validation.</p>
<a name="learnphpmysql-CHP-11-EX-24"></a><h5 id="title-IDA0TE1L" class="docExampleTitle">Example 11-24. Prompting to upload a file</h5><p><table cellspacing="0" width="90%" border="1" cellpadding="5"><tr><td>

<pre>
&lt;html&gt;
&lt;head&gt;&lt;/head&gt;
&lt;body&gt;
&lt;form action="&lt;?=$PHP_SELF?&gt;" <b>method="post" enctype="multipart/form-data</b>"&gt;
&lt;br&gt;&lt;br&gt;
Choose a file to upload:&lt;br&gt;
&lt;<b>input type="file" name="upload_file</b>"&gt;
&lt;br&gt;
&lt;input type="submit" name="submit" value="submit"&gt;
&lt;/form&gt;

&lt;/body&gt;
&lt;/html&gt;
</pre><br>

</td></tr></table></P>
<a name="learnphpmysql-CHP-11-SECT-3.3.1"></a>
<h5 id="title-IDAIUE1L" class="docSection3Title">11.3.3.1. Accessing the file</h5>
<a name="IDX-CHP-11-0576"></a> 

<p class="docText">Access the uploaded file like you access other attribute form submissions, by their name, which in this case is <span class="docEmphasis">upload_file</span>. The difference is that file upload variables are arrays that contain several attributes about the upload.</P>
<p class="docText">The attributes in <a class="docLink" href="#learnphpmysql-CHP-11-TABLE-4">Table 11-4</a> provide you with enough information to analyze the file.</P>
<a name="learnphpmysql-CHP-11-TABLE-4"></a><p><table cellspacing="0" FRAME="hsides" RULES="all" cellpadding="4" width="100%"><caption><H5 class="docTableTitle">Table 11-4. File upload attribute</h5></caption><colgroup span="2"><col><col></colgroup><thead><tr><th class="thead" scope="col" align="left"><p class="docText">Attribute</p></th><th class="thead" scope="col" align="left"><p class="docText">Meaning</P></th></tr></thead><tr><TD class="docTableCell" align="left"><p class="docText"><tt>$HTTP_POST_FILES['</tt><tt><i>upload_file</i></tt><tt>']</tt></P></td><td class="docTableCell" align="left"><p class="docText">The array; replace <tt><i>upload_file</i></tt> with the name of your upload file submission variable</P></TD></tr><tr><td class="docTableCell" align="left"><p class="docText"><tt>$HTTP_POST_FILES['</tt> <tt><i>upload_file</I></tt><tt>']['name']</tt></p></TD><td class="docTableCell" align="left"><p class="docText">The original name of the file</P></TD></TR><tr><td class="docTableCell" align="left"><p class="docText"><tt>$HTTP_POST_FILES['</tt> <tt><i>upload_fil</i></tt><tt>e']['tmp_name']</tt></p></td><td class="docTableCell" align="left"><p class="docText">The temporary name assigned during the upload process</p></td></tr><tr><td class="docTableCell" align="left"><p class="docText"><tt>$HTTP_POST_FILES['</tt> <tt><i>upload_file</i></tt><tt>']['type']</tt></P></td><td class="docTableCell" align="left"><p class="docText">The file's mime type</P></TD></tr><TR><td class="docTableCell" align="left"><p class="docText"><tt>$HTTP_POST_FILES['</tt> <tt><i>upload_file</i></tt><tt>']['size']</tt></P></td><td class="docTableCell" align="left"><p class="docText">The file's size in bytes</P></td></tr></table></P><br>

<a name="learnphpmysql-CHP-11-SECT-3.3.2"></a>
<h5 id="title-IDAXYE1L" class="docSection3Title">11.3.3.2. Validation</h5>
<p class="docText">You need to validate the file to ensure that it's not too big orworse yetin a file format that isn't allowed, such as a <span class="docEmphasis">.zip</span> file when you allow only <span class="docEmphasis">.jpg</span> files.<a name="IDX-CHP-11-0577"></a> 
 You validate in this order:</p>
<div style="font-weight:bold"><ol class="docList" type="1"><LI><div style="font-weight:normal"><p class="docList">Was a file actually sent?</P></div></li><li><div style="font-weight:normal"><p class="docList">Is it too big?</p></div></li><LI><div style="font-weight:normal"><p class="docList">Is it the wrong type?</p></div></LI></ol></div>
<p class="docText">We'll start with the <tt>is_uploaded_file</tt> function to check that a file was indeed uploaded.</p>
<p class="docText"><a class="docLink" href="#learnphpmysql-CHP-11-EX-25">Example 11-25</a> verifies that the file exists in the temporary directory with the proper temporary name. If it doesn't, stop processing the file and warn the user that he needs to try again.</P>
<a name="learnphpmysql-CHP-11-EX-25"></a><H5 id="title-IDAC0E1L" class="docExampleTitle">Example 11-25. Checking for the existence of an uploaded file</H5><p><table cellspacing="0" width="90%" border="1" cellpadding="5"><tr><td>

<pre>
&lt;?php

if (!is_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name'])) {
  $error = "You must upload a file!";
  unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
} else {
  //proceed to process the file
}

?&gt;
</pre><br>

</td></tr></table></p>
<p class="docText">Now in <a class="docLink" href="#learnphpmysql-CHP-11-EX-26">Example 11-26</a>, we make sure the file isn't too big.</p>
<a name="learnphpmysql-CHP-11-EX-26"></a><h5 id="title-IDAT0E1L" class="docExampleTitle">Example 11-26. Checking the file size</h5><p><table cellspacing="0" width="90%" border="1" cellpadding="5"><tr><td>

<pre>
&lt;?php
$maxsize=28480;
if ($HTTP_POST_FILES['upload_file']['size'] &gt; $maxfilesize) {
  $error = "Error, file must be less than $maxsize bytes.";
  unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
} else {
  // proceed to process the file.
}
?&gt;
</pre><br>

</TD></tr></table></p>
<p class="docText">To validate the size of a file, assign the maximum allowed file size in bytes to the variable <tt>$maxsize</tt>. In this case, you are checking for 28,480 bytes. You already have the file size stored in the <tt>$HTTP_POST_FILES</tt> array, so it's easy to check. If the file is too big, you need to tell the user about the problem and make him upload a different file. You also need to remove the file using the <tt>unlink</tt> function so that you don't end up with a million files sitting in the temporary directory.</P>
<P><table border="0" bgcolor="black" cellspacing="0" cellpadding="1" width="90%" align="center"><tr><TD><table bgcolor="white" width="100%" border="0" cellspacing="0" cellpadding="6"><tr><td width="60" valign="top"><img src="images/tip_yellow.jpg" width="50" height="54" alt=""></td><TD valign="top">
<p class="docText">You might be tempted to validate the type of file by simply looking at its file extension, but this isn't a good idea, since it's trivial to modify the file extension of a file before uploading it.</p>
</td></TR></table></td></tr></table></P><br>
<p class="docText">Next, <a class="docLink" href="#learnphpmysql-CHP-11-EX-27">Example 11-27</a> checks the file type to make sure it's either a JPEG or a GIF file.</p>
<a name="learnphpmysql-CHP-11-EX-27"></a><h5 id="title-IDAU1E1L" class="docExampleTitle">Example 11-27. Checking the file type</h5><P><table cellspacing="0" width="90%" border="1" cellpadding="5"><TR><td>

<pre>
&lt;?php

if($HTTP_POST_FILES['upload_file']['type'] != "image/gif" AND
$HTTP_POST_FILES['upload_file']['type'] != "image/pjpeg" AND
$HTTP_POST_FILES['upload_file']['type'] !="image/jpeg") {
  $error = "You may only upload .gif or .jpeg files";
  unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
} else {
   //the file is the correct format
}

?&gt;
</pre><br>

</td></tr></table></P>
<p class="docText">Use the <tt>$HTTP_POST_FILES['file']['type']</tt> variable to compare the mime type against the types expected. This is much harder to alter than the file extension. If you find that the file type doesn't match, warn the user that he'll need to upload a different file and remove the temporary file.</p>
<p class="docText">The following line copies the file from the temporary directory into the <span class="docEmphasis">uploads</span> directory using the same filename:</P>
<pre>
copy($HTTP_POST_FILES['upload_file']['tmp_name'],"uploads/".
$HTTP_POST_FILES['upload_file']['name']);
</pre><br>

<p class="docText">Using <tt>unlink</tt>, let's remove the temporary file:</P>
<pre>
unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
</pre><BR>

<p class="docText">To help prevent misuse of the upload processing script, validate that the submit button was pressed. Take a look at the entire script in <a class="docLink" href="#learnphpmysql-CHP-11-EX-28">Example 11-28</a>.</P>
<a name="learnphpmysql-CHP-11-EX-28"></a><h5 id="title-IDAY2E1L" class="docExampleTitle">Example 11-28. Processing an uploaded file</h5><p><table cellspacing="0" width="90%" border="1" cellpadding="5"><tr><td>

<pre>
&lt;?php
$maxsize=28480; //set the max upload size in bytes
if (!$HTTP_POST_VARS['submit']) {
  //print_r($HTTP_POST_FILES);
  $error=" ";
//this will cause the rest of the processing to be skipped
//and the upload form displays
}
if (!is_uploaded_file($HTTP_POST_FILES['upload_file']['tmp_name']) AND
!isset($error)) {
  $error = "&lt;b&gt;You must upload a file!&lt;/b&gt;&lt;br&gt;&lt;br&gt;";
  unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
if ($HTTP_POST_FILES['upload_file']['size'] &gt; $maxsize AND !isset($error)) {
  $error = "&lt;b&gt;Error, file must be less than $maxsize bytes.&lt;/b&gt;&lt;br&gt;&lt;br&gt;";
  unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
if($HTTP_POST_FILES['upload_file']['type'] != "image/gif" AND
$HTTP_POST_FILES['upload_file']['type'] != "image/pjpeg" AND
$HTTP_POST_FILES['upload_file']['type'] !="image/jpeg" AND !isset($error)) {
  $error = "&lt;b&gt;You may only upload .gif or .jpeg files.&lt;/b&gt;&lt;br&gt;&lt;br&gt;";
  unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
}
if (!isset($error)) {
copy($HTTP_POST_FILES['upload_file']['tmp_name'],"uploads/".$HTTP_POST_FILES
['upload_file']['name']);
  unlink($HTTP_POST_FILES['upload_file']['tmp_name']);
  print "Thank you for your upload.";
  exit;
}
else
{
  echo ("$error");
}
?&gt;

&lt;html&gt;
&lt;head&gt;&lt;/head&gt;
&lt;body&gt;
&lt;form action="&lt;?=$PHP_SELF?&gt;" method="post" enctype="multipart/form-data"&gt;
Choose a file to upload:&lt;br&gt;
&lt;input type="file" name="upload_file" size="80"&gt;
&lt;br&gt;
&lt;input type="submit" name="submit" value="submit"&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;
</pre><br>

</td></tr></table></p>
<p class="docText">Each validation checks to see whether a prior step failed; if so, it doesn't continue the validation. When you reach the end of the validation section, you print out the value in the <tt>$error</tt> variable. If there were no errors, no error message displays and you move the image to its final destination. If you encountered an error, or if this is the first time the script has been called, you display the file upload form.</p>
<p class="docText"><a class="docLink" href="#learnphpmysql-CHP-11-FIG-19">Figure 11-19</a> shows what the form looks like.</p>
<a name="learnphpmysql-CHP-11-FIG-19"></a><p><center>
<h5 class="docFigureTitle">Figure 11-19. The upload form with an invalid file selected</h5>
<img border="0" alt="" id="195131084204" width="510" height="140" SRC="images/learnphpmysql_1119.jpg">
</center></P><br>
<p class="docText">When this file is submitted, you should see an error, shown in <a class="docLink" href="#learnphpmysql-CHP-11-FIG-20">Figure 11-20</a>, since it's not a <span class="docEmphasis">.jpg</span> or <span class="docEmphasis">.gif</span> file.</p>
<a name="learnphpmysql-CHP-11-FIG-20"></a><P><center>
<H5 class="docFigureTitle">Figure 11-20. The .ini file was caught by the validation</h5>
<img border="0" alt="" id="195131084204" width="535" height="193" SRC="images/learnphpmysql_1120.jpg">
</center></P><br>
<p class="docText">Next, we'll try sending in a 506K image. Remember, the limit is 20K, so this is much larger than what you're allowing. <a class="docLink" href="#learnphpmysql-CHP-11-FIG-21">Figure 11-21</a> shows what happens.</p>
<a name="learnphpmysql-CHP-11-FIG-21"></a><p><center>
<H5 class="docFigureTitle">Figure 11-21. We caught the file size error, too</h5>
<img border="0" alt="" id="195131084204" width="535" height="193" SRC="images/learnphpmysql_1121.jpg">
</center></p><BR>
<p class="docText">OK, now we'll try a file that meets the validation criteria, to get the happier result shown in <a class="docLink" href="#learnphpmysql-CHP-11-FIG-22">Figure 11-22</a>.</p>
<a name="learnphpmysql-CHP-11-FIG-22"></a><p><center>
<H5 class="docFigureTitle">Figure 11-22. A successful upload!</h5>
<img border="0" alt="" id="195131084204" width="497" height="131" SRC="images/learnphpmysql_1122.jpg">
</center></p><br>
<p class="docText">There's now a file called <span class="docEmphasis">logo.jpg</span> in the <span class="docEmphasis">uploads</span> directory on your server. To increase security slightly, you could pick your own filenames instead of using a user-supplied name.</p>



</TD></TR></table>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-11-SECT-2.html><img src="images/prev.gif" width="60" height="17" border="0" align="absmiddle" alt="Previous Page"></a>
<td align="right"><div STYLE="MARGIN-LEFT: 0.15in;">
<a href=learnphpmysql-CHP-11-SECT-4.html><img src="images/next.gif" width="60" height="17" border="0" align="absmiddle" alt="Next Page"></a>
</div></td></tr></table>
<script type="text/javascript"><!--
google_ad_client = "pub-0203281046321155";
google_alternate_ad_url = "http://www.bookhtml.com/adbrite.htm";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel ="4867465545";
google_color_border = "FFFFFF";
google_color_link = "0000FF";
google_color_bg = "FFFFFF";
google_color_text = "000000";
google_color_url = "0000FF";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</html>
